Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
2022-12-01 • Volexity •
Volexity analyzed Lazarus Group activity targeting cryptocurrency users and organizations with a new AppleJeus variant. The campaign used the registered domain bloxholder[.]com to host a HaasOnline clone branded as BloxHolder and distributed BloxHolder_v1.2.5.msi, which installed QTBitcoinTrader alongside malicious components. The MSI created a scheduled task under %APPDATA%\Roaming\Bloxholder and executed a legitimate binary that loaded a legitimate DLL, which then caused malicious DUser.dll to run. Volexity highlighted this as a previously undocumented in-the-wild variation of DLL side-loading and linked it to historical Lazarus AppleJeus tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | fe948451df90df80c8028b969bf89ec… | 2022-12-01 | 2026-04-03 |
| DOMAIN | rebelthumb.net | 2022-12-01 | 2024-09-18 |
| URL | https://strainservice.com/resou… | 2022-12-01 | 2023-10-26 |
| DOMAIN | strainservice.com | 2022-12-01 | 2023-10-26 |
| HASH | 76111d9780b2d0b5adee61cf752d937e | 2022-12-01 | 2023-05-02 |
| HASH | 9352625b3e6a3c998e328e11ad43efb… | 2022-12-01 | 2023-05-02 |
| HASH | 5b03294b72c0caa5fb20e7817002c60… | 2022-12-01 | 2023-05-02 |
| DOMAIN | wirexpro.com | 2022-12-01 | 2023-04-03 |
| DOMAIN | oilycargo.com | 2022-12-01 | 2023-04-03 |
| HASH | e5980e18319027f0c28cd2f581e75e7… | 2022-12-01 | 2022-12-06 |
| HASH | a2d3c41e6812044573a939a51a22d65… | 2022-12-01 | 2022-12-06 |
| HASH | abca3253c003af67113f83df2242a70… | 2022-12-01 | 2022-12-06 |
| HASH | 18e190413af045db88dfbd29609eb877 | 2022-12-01 | 2022-12-05 |
| DOMAIN | telloo.io | 2022-12-01 | 2022-12-05 |
| DOMAIN | bloxholder.com | 2022-12-01 | 2022-12-05 |
| HASH | 245bb604621cea7962668325995bca7c | 2022-12-01 | 2022-12-01 |
| HASH | 17e6189c19dedea678969e042c64de2… | 2022-12-01 | 2022-12-01 |
| HASH | 82d6b2e14763f398d2a559d3f7fbf2f… | 2022-12-01 | 2022-12-01 |
| HASH | 2e8d2525a523b0a47a22a1e9cc9219d… | 2022-12-01 | 2022-12-01 |
| HASH | eee4e3612af96b694e28e3794c4ee4a… | 2022-12-01 | 2022-12-01 |
| HASH | 4c5611d63fd78a2de9591d7b4d70c57… | 2022-12-01 | 2022-12-01 |
| HASH | 90b0a4c9fe8fd0084a5d50ed781c7c8… | 2022-12-01 | 2022-12-01 |
| HASH | b801643e2d817931e6aa36e6bf24d1c… | 2022-12-01 | 2022-12-01 |
| HASH | 479cc0a490ffa98652683796c5cef12… | 2022-12-01 | 2022-12-01 |
| HASH | cc5544eff3e5b9cf20d8cf229114759… | 2022-12-01 | 2022-12-01 |
| HASH | a0db8f8f13a27df1eacbc01505f311f… | 2022-12-01 | 2022-12-01 |
| HASH | eb1e19613a6a260ddd0ae9224178355b | 2022-12-01 | 2022-12-01 |
| HASH | 295c20d0f0a03fd8230098fade0af91… | 2022-12-01 | 2022-12-01 |
| HASH | 636813038ba5c9755aa881ae62e2911… | 2022-12-01 | 2022-12-01 |
| HASH | efaf52549ffcc8a16373a8f7f0bddeb… | 2022-12-01 | 2022-12-01 |
| HASH | ae34fa6c6baf77390fb3ff683d880cd… | 2022-12-01 | 2022-12-01 |
| HASH | 18644822140eda7493bd75ba1e1f235d | 2022-12-01 | 2022-12-01 |
| HASH | e66bc1e91f1a214d098cf44ddb1ae91a | 2022-12-01 | 2022-12-01 |
| HASH | 51871504c1d5c09ade5e2a1e6e98c37a | 2022-12-01 | 2022-12-01 |
| DOMAIN | haasonline.com | 2022-12-01 | 2022-12-01 |